React2Shell, also known as CVE-2025-55182 / CVE-2025-66478 is a vulnerability in React Server Components which will allow remote attackers to execute arbitrary code.
That’s serious!
There are now 2 ways that you can detect this vulnerability in ZAP:
- Retire.js add-on, which detects it passively
- Active Scan Rules which contain a brand new Remote Code Execution (React2Shell) rule
The new Remote Code Execution (React2Shell) rule will detect the vulnerability in Next.js apps and is based on the great work by Searchlight Cyber.
As you may know, we usually publish new rules at the “alpha” level and then promote them to “beta” and “release” based on feedback.
In this case we have decided to promote it straight to “release” - its a critical vulnerability, the rule only makes one request per host, and it appears to be a very reliable check.
Your feedback, as always, is much appreciated.